paul, in another universe, the inhabitants are attempting to find some policy for dealing with what i'll call a temporally inconsistent name to address mapping, at a single, and also a second level of indirection. of course, just about everything that's ever been written (and re-written) on nanog about reputation and partition, whether w.r.t. port 25, or ports 53 and 80, appears to me to be relevant in this other universe. eric Paul Vixie wrote:
The real solution to the scorched earth problem is for aging from blacklists to be dynamic.
if we were designing a full internet system with reputation as a feature, then no doubt it would be like you're describing. however, reputation systems are a private action by private right of action and each one will have its own cost:benefit considerations. this means while it might be a good design overall, blacklist aging has to be in the interests of particular blacklist operators and subscribers, or it won't happen. it generally does not happen, since it costs more value than it produces from the point of view of a given blacklist operator or subscriber.
i think there's an argument to be made that this is inevitable. every time any ISP has enforced any kind of numerical limits on abuse by one of its customers (like first hit's free, three strikes and you're out, and so on) the abusers have either rotated through providers or through identities fast enough to make their business run in spite of the limits, or they have merely counted these slaps on the wrist as part of the cost of doing business. this means if blacklist entries all aged out, then abusers and their ISPs would simply rotate through a long chain of address blocks, and we'd see a lot of address space consumed on the "waiting for reprieve" list but it would not change the overall abuse growth rate at all.
that's not in the interests of individual blacklist operators or subscribers, who want to control abuse growth rate.
There's been some work done @ SRI on using a weighting algorithm that includes things like prevalence, persistence, and "badness", with a Gaussian decay function as to time, to establish cut levels for what should be blocked.=20
Look at Phil Porras work, and Usenix presentations.
can you tell me, before i invest my own time in it, whether this work accounts for the inevitable rebalancing and planning adjustments that the abusers will make if each proposed policy were rolled out? i fear that most studies in this area treat abuse like it was a natural phenomena and not the self-organized well-motivated thievery that it is. abusers aren't going to sit still while we wrap them in a gaussian decay function.